Windows Authentication and Active Directory

ASP.Net allows you to authenticate users in different ways. In this lesson we will learn two different ways for authenticating users, the Basic and Windows authentications. You can refer to MSDN here or here if you want more details about those two different ways of authentication.

Basic authentication

When IIS is configured for Basic authentication, it instructs the browser to send the user's credentials over HTTP. Passwords and user names are encoded using Base64 encoding. Although the password is encoded, it is considered insecure due its ability to be deciphered relatively easily. The browser prompts the user with a dialog box, and then reissues the original anonymous request with the supplied credentials, including the user name and password. A pop-up logon dialog box may or may not be appropriate, depending upon your user interface design requirements. Most Internet browsers support Basic authentication.

IIS configuration

The first thing to do is to enable the Basic authentication in IIS for your website. To do this, go to "Internet Information Services (IIS) Manager", click on your site, click on "Authentication" and then check that "Basic Authentication" is present in the list.
If the Basic authentication is not present that means you have to install it. In the Control Panel, open "Turn Windows features on or off", navigate to "Internet Information Services", "World Wide Web Services", "Security", and then check "Basic Authentication".
If you restart IIS you can now see this authentication mode in the list. Disable all modes in IIS except "Basic Authentication", IIS is now ready to use this mode.
IIS is now correctly configured to manage the Basic Authentication mode, the next step is to configure our project.

Adapt your M# project

Web.config:

UI elements

When you create a new project in M# the default template contains a lot of code. A part of this code is not needed with the Basic Authentication, so for example you can remove:

Remove the login page.

Remove the logout link in the footer.

In Global.asax, remove the

Application_AuthenticateRequest

method.

Clean the App_Code\Context.cs file, only the User property is important.

User entity

Delete the existing User Entity and create a new Transient entity also named "User". Open the Logic file associated to the User Entity and implement IUser. Add three calculated properties to your Entity and implement the getter as follow.
As you can notice we use

System.Web.HttpContext.Current.User.Identity

to get the current user. You may be unfamiliar with this new way to get the current user, but keep in mind we disabled anonymous connections so this value cannot be null in our case.

It is not difficult to implement the

GetRole()

function, use the function

System.Web.HttpContext.Current.User.IsInRole("Role")

to check whether the user belongs to a role or not. In our example we check if the user is a member of the "Administrators" group and we return the M# role defined in M# settings.

Do not forget to add the read-only property User to Context.cs, so you can easily access to the user class everywhere in your application.

Develop like before

We now have implemented the basic structure of the application using Basic Authentication, in your pages you can now continue developing like you used to do. For example you still set the visibility of a module or button depending on the user role or display the name of the user.

Windows authentication

Integrated Windows authentication (using either NTLM challenge/response or Kerberos) involves authenticating a user with a Windows NT Domain or Active Directory account. Unlike Basic and Digest authentication, the encrypted password is not sent across the network, which makes this method very secure.

This authentication mode is very similar to the Basic one in M#. In IIS disable all authentication modes except Windows Authentication. If this mode is not present, add it like we did earlier for the Basic Authentication.

Extend

Previously we only got basic information of the user (domain and username), you may want to go further and get more details from the Active Directory. To do so, you can slightly change the Context.cs file to return the result of the following function:
You may also want to persist application-specific data related to a user. Change the Database mode of your entity from Transient to Managed, create a new unique property, which will be your user's full name and add your new properties. The first time a user access your website create an empty record for him or redirect him to a custom page populating data.